Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Published byEmma Ramsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research."— Presentation transcript:

1 Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research

2 Copyright 2007 - Trend Micro Inc. 9/23/2015 2 Classification Prevalent Threat Types: Downloaders BOTs Spyware / Grayware Backdoors Mass Mailers Phishing Exploits Hacking What threats do we cover?

3 Copyright 2007 - Trend Micro Inc. 9/23/2015 3 Classification Detection Threat Categories and Sub Categories: –Known Security Risks Virus/Malware –VSAPI –Network Virus Patterns Spyware/Grayware –VSAPI/SSAPI –Potential Security Risks Virus/Malware Spyware/Grayware Fraud Other How detections are organized

4 Copyright 2007 - Trend Micro Inc. 4 Downloaders Packed / Compressed Executables Names of downloaded files belong to system files svchost.exe winlogon.exe lsass.exe File extension do not match expected file type JPG extension but file is actually EXE What characteristics are we looking for

5 Copyright 2007 - Trend Micro Inc. 5 Spyware/Grayware Unique / Unknown HTTP user-agents Names of downloaded files belong to trademarked/copyrighted spyware applications Gain, Media Motor, Hotbar, SpySherrif Un-expected type of traffic SMTP relay traffic, DNS MX Queries appear on workstations What characteristics are we looking for

6 Copyright 2007 - Trend Micro Inc. 6 Backdoors Rogue services Un-authorized SMTP, HTTP servers Opened ports Loopback commands shells Loopback command shells DOS Shell visible at the network traffic Non standard service ports HTTP Traffic on non HTTP port What characteristics are we looking for

7 Copyright 2007 - Trend Micro Inc. 7 Mass mailers Attachments with long filenames (space padded) File extensions do not match expected file type File inside archive attachment contains double extension Packed files What characteristics are we looking for

8 Copyright 2007 - Trend Micro Inc. 8 Bots IRC traffic Policy violations Protocol mismatches IRC traffic on port 8080 (HTTP proxy) Non-standard service ports HTTP traffic on non HTTP ports File transfers to blacklisted domains What characteristics are we looking for

9 Copyright 2007 - Trend Micro Inc. 9 Hacking Password guessing Exploit attempts DNS poisoning Network flooding What characteristics are we looking for

10 Copyright 2007 - Trend Micro Inc. 10 Mitigable Threat Rules Policy ID Mitigation Condition 1Known external attacks Internal computer downloading Malware/Spyware via HTTP protocol 2 Internal computer downloading Malware via FTP protocol 3Known internal detections Internal computer propagating Malware via SMB (network share) protocol 4 Internal computer propagating Malware via SMTP protocol 5 Internal computer propagating Malware via IM protocols 6 Internal computer attacking the network with network viruses 7Potential external attacksInternal computer downloading potential threats via HTTP protocol 8Potential internal detectionsInternal computer propagating via SMB (network share) protocol 9Internal computer propagating potential threats via SMTP protocol 10Internal computer attacking the network with potential network viruses/exploits 11Internal computer infected by BOT 12Internal computer compromised by Exploit or infected by Backdoor 13Internal computer infected by potential Downloader

11 Copyright 2007 - Trend Micro Inc. 11 Internal computer downloading potential threats via HTTP protocol Rule 23 - Downloaded file matches malware-used filenames Rule 66 - HTTP download found file type mismatch & file content is EXE Policy 7

12 Copyright 2007 - Trend Micro Inc. 12 Scenario M a l i c i o u s Website Corporate Network Internet Rule 23 - Downloaded file matches malware-used filenames Rule 66 - HTTP download found file type mismatch & file content is EXE TROJ_DLOADER,TROJ_AGENT,WORM_STRAT

13 Copyright 2007 - Trend Micro Inc. 13 Internal computer propagating via SMB (network share) protocol Rule 8 - Packed executable file dropped on a network share Policy 8

14 Copyright 2007 - Trend Micro Inc. 14 Scenario Corporate Network Rule 8 - Packed executable file dropped on a network share Admin$ WORM_AGOBOT, PE_LOOKED C$

15 Copyright 2007 - Trend Micro Inc. 15 Internal computer propagating potential threats via SMTP protocol Rule 9 - Suspicious archive file found & file type mismatched & file content is EXE Rule 12 - Suspicious archive file found & filename found with suspicious double- extensions Rule 13 - Suspicious archive file found & filename found with suspicious long filename Rule 55 - Suspicious filename found & filename found with suspicious long filename & file content is EXE Rule 72 - Email contains a suspicious link to a possible Phishing site Policy 9

16 Copyright 2007 - Trend Micro Inc. 16 Scenario Internal Mail Server Corporate Network Internet External Mail Server External Mail Server WORM_NETSKY, WORM_MYTOB, WORM_AGOBOT

17 Copyright 2007 - Trend Micro Inc. 17 Internal computer attacking the network with potential network viruses/exploits Rule 67 - Cross-Site Scripting (XSS) found Rule 68 - Oracle HTTP Exploit found Policy 10

18 Copyright 2007 - Trend Micro Inc. 18 Scenario Corporate Network Command Shell Exploit HACKER TOOLS

19 Copyright 2007 - Trend Micro Inc. 19 Internal computer infected by BOT Rule 7 - IRC BOT commands found Rule 26 - IRC session established with a known bad C&C Policy 11

20 Copyright 2007 - Trend Micro Inc. 20 Scenario Corporate Network Internet IRC Server Rule 7 - IRC BOT commands found Rule 26 - IRC session established with a known bad C&C WORM_IRCBOT.EN

21 Copyright 2007 - Trend Micro Inc. 21 Internal computer compromised by Exploit or infected by Backdoor Rule 17 - Suspicious Remote Command Shell found Policy 12

22 Copyright 2007 - Trend Micro Inc. 22 Scenario Corporate Network Command Shell Exploit WORM_MSBLAST, WORM_SASSER

23 Copyright 2007 - Trend Micro Inc. 23 Internal computer infected by potential Downloader Rule 88 - HTTP requests attempted to download known Malware-used filenames Policy 13

24 Copyright 2007 - Trend Micro Inc. 24 Scenario M a l i c i o u s Website Corporate Network Internet Rule 88 - HTTP requests attempted to download known Malware-used filenames TROJ_DLOADER,TROJ_AGENT

25 Copyright 2007 - Trend Micro Inc. 9/23/2015 25 Classification Thank You

Download ppt "Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research."

Similar presentations

· SoftScan Solna Strandväg 78 171 54 Solna Sweden The less you hear from us the better Shhh… The less.

· SoftScan Solna Strandväg Solna Sweden The less you hear from us the better Shhh… The less.
George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.

George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.
PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.

PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.

Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Similar presentations

Ads by Google